How Fidelilium Helped an Accounting Firm Overcome a Ransomware Attack and Resume Operations
La situation
On the night of November 13–14, 2024, an accounting firm was hit by a ransomware attack that brought its entire operation to a standstill. Workstations, the production server, and even the backup server were encrypted, putting more than 30 years of client accounting data at risk. The firm, which uses ACD solutions for its current clients and SAGE Koala for its legacy clients, had been completely unable to operate for 15 days.
Unsecured remote access through RDP port forwarding, combined with a network infrastructure lacking firewall protection, likely facilitated the intrusion. The ransom demand—surprisingly low considering the value of the data involved (0.04 BTC)—suggested that the attacker was unaware of the true importance of the encrypted information.
The firm faced a dual challenge: restoring business operations while securing the imminent sale of the company, a transaction contingent upon the complete integration of all data into the acquirer’s system. Any partial data loss would have jeopardized the deal and potentially threatened the future of the firm itself.
Ce que nous avons fait
From day one, the Fidelilium team implemented a structured and effective crisis management plan. Emergency measures were taken immediately, including the removal of RDP port forwarding, the recovery and reassembly of servers, and the deployment of an isolated infrastructure to prepare for business continuity in a degraded operating mode.
Faced with an outdated server environment and a large volume of data (700 GB), Fidelilium coordinated the compression and protection of critical data while arranging the provisioning of new workstations and an identical production server to support the recovery environment.
Recognizing both the urgency of the situation and the strategic importance of the data, the client decided to pay the ransom after successfully verifying the decryption of test files. Fidelilium provided support throughout the process, including the creation of a Bitcoin account, validation of the decryption keys, and the secure transfer of the required recovery tools.
The business recovery infrastructure was deployed rapidly and included:
- Extraction of the archived data and application of the decryption keys to 700 GB of encrypted files
- Comprehensive antivirus scanning
- Secure transfer of recovered data to an offline recovery server
- Integration into the ACD and SAGE applications, enabling an immediate partial resumption of operations
Thanks to this approach, the accounting firm was able to restart its activities while preserving the critical data required to complete the ongoing acquisition process. Fidelilium also recommended a comprehensive cybersecurity assessment of the target infrastructure to strengthen its security posture and prevent future incidents.